New Dashboard Notice
Bolt has launched a new Merchant Dashboard experience. See this corresponding page for help documentation that reflects the Legacy Dashboard.
Please note that Legacy Dashboard documentation may no longer have up to date information on our newest features and releases.
All requests made by Bolt to your ecommerce Merchant Callback API will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it’s always Bolt calling your endpoint.
Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256. There are two ways to verify the payload with this signature.
How to Verify a Webhook
Step 1: Get Signing Secret
- Log in to your Bolt Merchant Dashboard.
- Navigate to Administration > API.
- Scroll to Signing Secret.
Step 2: Use Secret for Verification
Bolt generates the signature by hashing the payload using the SHA-256 hashing algorithm. The signing secret is used as the salt in the hashing. The resulting value is then Base64 encoded to transmit as plain text. You can follow the same steps to generate and verify the signature.
$hmac_header = $_SERVER['X-Bolt-Hmac-Sha256'];
function verify_webhook($payload, $hmac_header) {
$computed_hmac = base64_encode(hash_hmac('sha256', $payload, BOLT_SIGNING_SECRET, true));
return ($computed_hmac == $hmac_header);
}